v In order to ensure business continuity in the event of key personnel becoming unavailable for whatever reason, that data held in the property database should be more comprehensive so that a clear trail of how decisions regarding rent levels etc have been arrived at. This would allow officers unfamiliar with this area to continue managing the operation in the absence of key personnel. It was further recommended that temporary clerical support be sought for a short period to populate the database with the additional information needed.

v In order to ensure full recovery of electricity and water recharges at Lowtherville Industrial Estate, the Principal Estates Surveyor should identify the causes of undercharging and rectify the situation.

v The property file should include information relating to how the tenant applied for the site. References should be taken for every new tenant.

PROGRESS ON THE INTERNAL AUDIT PLAN FOR 2004/2005

The end of September is half way through the financial year and is an opportunity to report progress against the audit plan. There has been slippage in progress which means that it is unlikely that the whole plan will be completed by the end of the financial year. The causes of slippage are as follows:

v Assumptions about staffing resources when the original plan was formulated have proven to be incorrect as a combination of a staff member leaving and anticipated job evaluation grade increases have stressed the budget so that we cannot safely fill the vacancy without risking a budgetary overspend.

v Completing projects from the previous financial year, particularly core systems audits required by the Audit Commission has taken longer than anticipated which reduces the amount of time available for current years projects.

v Our involvement in supporting the GAGs initiative by seconding a member of staff to the GAGs team and by the heavy involvement of the ICT auditor in providing project assurance to the various strands of GAGs has further reduced our capacity to deliver planned projects.

v The number of special investigations has exceeded expectations which again reduces the amount of time available for planned projects.

Two initiatives are being pursued to mitigate the effects of the anticipated non-completion of the whole plan:

The Chief Financial Officer has agreed to backfill 50% of the costs of the member of staff seconded to GAGs which has enabled us to appoint a temporary member of staff for six months. This staff member will be fully engaged in delivering core financial systems reviews as required by the Audit Commission.

We propose to prioritise the projects outstanding by their risk rating so that all high risk projects will be completed within the year. As many lower risk projects as is possible will also be attempted but it is unlikely that they will all be completed by 31^st March 2005.

FINANCIAL, LEGAL, CRIME AND DISORDER IMPLICATIONS

There are no significant financial or legal implications of this report, given that it is a progress report on the Internal Audit function. The Panel is reminded that the Council is required by statute (the Accounts and Audit Regulations) to have an adequate and effective Internal Audit function.

RELEVANT PLANS, POLICIES, STATEGIES AND PERFORMANCE INDICATORS

None

CONSULTATION PROCESSES

None

BACKGROUND PAPERS USED IN THE PREPARATION OF THIS REPORT

Audit project files held by G Richardson – ext 3683

APPENDIX A

1. S17 of the Childrens Act 1989 – Childrens Services

This audit was carried out as part of the 2004-05 Audit Plan. The purpose of Section 17 expenditure is to enable vulnerable children to continue to stay with their families by providing small-scale practical support to the family through hardship payments. This support may range from assistance in buying essential household equipment such as a cooker to procuring necessary clothing for a child such as a pair of shoes. The budget for financial year 2004/05 is £80,500.

The overall objective of this audit was to seek to provide assurance to management that the internal control system supports the achievement of management’s objectives.

Only partial Assurance can be given that the internal control system is operating satisfactorily.

Significant findings were that the internal control system was not operating in accordance with financial procedures in relation to segregation of duties:-

v There was a lack of Internal control in respect of the segregation of duties within the Social Services Department;

v Processing of invoices lacked appropriate signatory control within the creditor payments section.

We have made 3 recommendations for improvement all of which have been accepted by management, and 2 follow up actions for audit services.

2. The Council Tax System

The overall objective of the audit is to provide assurance to management that effective controls and procedures are in place to ensure that the Council Tax System is operating effectively.

The audit was carried out by interviewing relevant officers and carrying out testing on selected areas to determine the level of compliance with Council policy and procedures.

Overall the systems in place within Council Tax are sound with effective controls and procedures in place. There were no major areas of concern however four recommendations have been made, which are of a minor nature and refer to the administration of the service.

Assurance can therefore be given to management that the systems in place are operating satisfactorily.

3. Risk Based Review of Coastal Management

The audit was carried out as part of the 2004-05 Audit Plan agreed by the Audit Committee on 29th July 2004. The overall objectives were to provide assurance to management that the objectives of the service are being met and that appropriate risk mitigation strategies are in place and operating satisfactorily.

5 recommendations have been made to management as a result of this audit to improve the effectiveness of Risk Management. The recommendations are summarised as-

· As part of the 2005-06 budget process consult with the Chief Financial Officer as to the possibility of part funding an Accounting Technician to make better use of management time

· To review the IW Oil Spills Contingency Plan to ensure the information is accurate and current

· To update the Quality Management System to include procedures for storage of electronic information

· To ensure backed up electronic information is stored effectively

· To discuss with the Risk Management Group the need for further risks to be entered on the Corporate Risk Register

As part of the audit process Risk Treatment Action Plans were completed with the Coastal Section. These document the current controls implemented by the section to manage the risk and planned actions to improve the management of risks. These planned actions include:

· The identification of skills shortages through the PDP process

· The completion of round two of the Shoreline Management Plan

· Development of the IW Coastal Visitors Centre and website to maximise dissemination of information

· Development of an action plan for preparing for the impacts of climate change

· Bid for resources to carry out Ventnor Groundwater feasibility study.

Assurance can be given to management that

· overall the objectives of the service are being met and that current risk mitigation strategies are operating satisfactorily and,

· that the planned actions once implemented will improve the management of risk and increase the likelihood of the achievement of objectives.

4. Risk Based Review of Homelessness

Several minor recommendations have been made to management as a result of this audit. These relate to-

· verifying the identity of homeless applicants,

· to reviewing the impact of the requirement for applicants and private rented accommodation to be served with a court order prior to eviction,

· to institute annual checks on temporary accommodation, and

· continue discussions with software developers regarding the provision of management information.

As part of the audit process Risk Treatment Action Plans were completed with the Homelessness Section. These document the current controls implemented by the section to manage the risk and planned actions to improve the management of risks. These planned actions include:

· Fast tracking of Housing Benefit claims with Housing Officers carrying out Verification Framework processes

· Identification of empty homes and increased use of Empty Homes Management Orders

· Introduction of mediation service and increased home visits to reduce the demands on the service

· Planned addition of 350 permanent units through Housing Associations and private development

· To implement an education programme working with schools, 16+ workers and Connexions

Assurance can be given to management that

· overall the objectives of the service are being met and that current risk mitigation strategies are operating satisfactorily and,

· that the planned actions once implemented will improve the management of risk and increase the likelihood of the achievement of objectives.”

5. GAGS – GENERAL

We continue to support the GAGS programme in a number of ways, primarily providing risk management and assurances services consistent with the Prince2 project management methodology. We continue to attend the Programme Board meetings and “host” the GAGS Programme Risk Register, facilitating regular updates of the register. We have been instrumental in improving programme controls, for example, the management of risk and the formulation of the approach to benefit realisation.

6. CRM

We continue to support the CRM project and provide risk management and assurances services. We attend the Project Board and periodically issue our one-page assurance report. We have also been involved in the testing of Phase 3 of the CRM system and the development of the controls in Phase 4. We “host” the CRM Risk Register, facilitating regular updates of the register. We act as facilitators for the CRM Working Group, the forum that is responsible for the future direction of the system. Our involvement ensures appropriate consideration is given to controls and risks, including more recently advice on the legislative considerations of proposed functionality to register and authenticate customers contacting the authority and the sharing of customer data.

7. DIP

We continue to support the DIP project and provide risk management and assurances services. We attend the Project Board and periodically issue our one-page project assurance report. Latterly we have worked closely with the project manager to drive out a system for recording, monitoring and tracking project benefits – a set of protocols and templates we have shared with other projects. We “host” the DIP Risk Register, facilitating regular updates of the register.

8. E- PROCUREMENT

Our current activity has been to review the selection criteria and the application of those criteria for the purposes of short-listing the suppliers to go through to the next stage.

9. ACCISS REPLACEMENT

We continue to support the ACCISS replacement project in a number of ways, primarily providing risk management and assurances services consistent with the Prince2 project management methodology. We continue to attend the Project Board meetings and regularly issue our one-page project assurance report. Latterly we have worked closely with the project manager to develop a system for assessing the operational preparedness of SWIFT (Launch Criteria assessments). We facilitated the assessment of the Go-Live decision in September (which ultimately concluded that launch should be deferred). We completed our work on the selection of the software solution for Supporting People, concluding with a review of the management process (and decision) to select an alternative product to SWIFT (SPOCC). We are planning our work to assist in the selection of the product for Homecare.

10. PO3 – Determine Technology Direction

On the 25^th June we conducted the second risk based ICT audit defined under our new ICT Audit framework. The documentation is currently being drafted in readiness for review by key stakeholders. At this time it can be reported that the current overall result will be RED – this is defined as – “a significant threat exists to the achievement of objectives”. We are currently working on the risk treatment action plans to manage the risks identified. These will be dependent on better alignment between the respective business and ICT strategies, going forward. The approach going forward has been discussed with senior management and the initial step will be to facilitate a workshop in November 2004 to map the business and technology drivers and undertake a gap analysis. One of the key areas to address is the timetable for and the sequence of service planning.

11. DS4 – Ensure Continuous Service

In June we started a body of work to review the Council’s business continuity recovery plans, building on the work conducted by Marsh. This work aligns with the Directors’ Group report currently being drafted by the Chief Fire Officer. Our concern, one shared by the Chief Fire Officer, is that we have no adequate processes in place to maintain the service recovery plans we have put in place. Additionally, without further work, the plans will remain incomplete and inconsistent in a number of areas. Additionally, we have started work with the Technical Standards Group to prepare Standards and templates for the preparation of the ICT component of the Business Continuity and Service Recovery plans for all areas.

12. PARTNERSHIPS

MTI FUNDED PROJECTS

We are currently working with the Libraries, Museums and Archives Manager in an advisory capacity to produce the appropriate project documentation for a number of projects and we are providing risk registers and will help with developing risk mitigation strategies.

EXTENDED SCHOOLS

We are working with the Extended Schools Co-ordinator in an advisory and assurance capacity, assisting in the development of the risk profile for the Extended Schools Strategy.

SAFER COMMUNITIES

We are currently working with the Head of Democratic & Legal Services to draft a governance structure for the recently merged Drug Action Team and Crime & Disorder Partnership (“Safer Communities Partnership”).

LIBRARIES

We are currently working with the Library Service to develop the appropriate form of partnership agreement (including governance structure) between the Service and the Isle of Wight College.

13. PROJECT MANAGEMENT

We are currently working with colleagues from Policy, ICT and the Learning Centre to construct a training programme and a best practice guide for project management as part of the CPA Improvement Plan. This has also required us to evaluate providers for the training programme and evaluate various software products.

14. COMMUNITY DEVELOPMENT/WIGHT LEISURE

We have worked with colleagues to prepare a “risk profile” report to facilitate the strategic decisions to be taken in respect of the re-integration of Wight Leisure. The initial part of this work was the risk profiling to support the decisions regarding the classification of “activity areas” which has been used to determine the most appropriate provider for the activity 9both internal and external). The second part of this work is the risk profiling to support the business case for the redevelopment of Westridge.

APPENDIX B

AUDIT SERVICES REPORT – CORPORATE GOVERNANCE

1. EXECUTIVE SUMMARY

1.1 Introduction

The Local Government Act 2000 is challenging for local authorities. A common theme running through all of the Government’s requirements is the need for local authorities to review the various systems and processes they have in place for managing both their own internal affairs and their relationships with key stakeholders. Together these systems and processes comprise corporate governance. The concept and principles of corporate governance are directly relevant to local authorities and to the Governments aim of democratic renewal.

The purpose of this report is to assess the level to which the IOW Council are complying with the underlying principles of good corporate governance in accordance with the CIPFA/SOLACE framework and to form an opinion of the effectiveness of the Council’s ability to demonstrate compliance with the framework.

Summary of Significant Findings

During financial year 2003/2004 the Council did not have it’s own local code of corporate governance. However, subsequent to the conclusion of the financial year, a Statement of Internal Control was developed which satisfies much of the requirements of a corporate governance code and to fully comply with the requirement will be developed further.

Members and senior officers are responsible for putting in place proper arrangements for the governance of the council’s affairs and the stewardship of the resources at its disposal. The code should be consistent with the principles and reflect the requirements of the CIPFA/SOLACE framework (Corporate Governance in Local Government: A Keystone for Community Governance). A copy of the code should be made available to the general public on the council’s website.

Many of the procedures, protocols and codes of conduct etc., which are key components of corporate governance, are documented in the council’s Constitution. This is available to the general public on the councils website however it is presented as a continuous scroll with no page breaks. The hard copy of the document has a great many pages and therefore navigating the document on the website is very difficult. Steps should be taken to improve this with page numbering and an index.

Gifts and Hospitality registers is an area of weakness with some service teams using a central directorate register, others using their own individual team registers and others having no register at all. The guidance issued refers to directorate registers however in practise the service teams in some directorates are spread over a wide area and in these circumstances using just one register is impractical.

Declarations/Registers of Interest was also noted as an area of weakness. Procedures are set out in the Codes of Conduct for both members and officers. For members a standard item is included on the agenda for all council meetings. However for officers the code only states that interests are to be “declared to the line manager” with no mention of “in writing”. The procedure has been tightened up and all members of staff are now required to complete a declaration of interests, which is reviewed in the PDR process. Staff with no interests to declare are required to complete a nil return. Our findings revealed that many of the service teams were unaware of these requirements and their staff had not completed the forms.

1.3       Overall Conclusion

            The Council have many of the systems and procedures in place that conform
            to the principles of good corporate governance. These have been developed
            over a number of years in an ad-hoc manner and are generally sound.
            However, they are now being pulled together to provide a more coherent and
            structured approach.

To enhance this process, it is recommended that the Council develops further the Statement of Internal Control so that it encapsulates the full requirements of a local code of corporate governance, which is officially approved and adopted. This document should be reviewed at least annually in order to provide assurance that it is both adequate and effective and also to measure the level of the Council’s compliance with the modified Statement.

Standards of Conduct is an area in which codes of conduct for both

members and officers are in place and are generally adhered to. However it

was noted that in some instances evidence of compliance is inadequate.

Steps have been taken to improve this area and regular reviews should be

undertaken to ensure that widespread compliance is maintained.

            The IOW Council is generally complying with the underlying principles of
            good corporate governance in accordance with the CIPFA/SOLACE
            framework. However, there are areas where improvements are
            required before the Council can be considered to be fully complying with the
            framework. The Council must also be able to demonstrate compliance with
            the framework and whilst procedures and processes are in place to do this
            they are not always being followed.

1.4       Acknowledgements

            I would like to take this opportunity to thank all members of staff for their co-
            operation and assistance in carrying out this review.

Internal Audit Action Plan

Title of Report: Corporate Governance

Date Final Report issued:

Main Findings	Possible Consequences	Action Required	Priority	Responsibility	Target Date
1) The Council does not have a local code of corporate governance.	Failure to meet expected standards of performance and conduct.	Incorporate the code in the Statement of Internal Control	1	Paul Wilkinson John Lawson	01/01/2005
2) There is a requirement to set standards and targets for performance in the delivery of services on a sustainable basis. Need tc clarify meaning of sustainable as can mean ongoing regular basis or environmentally sustainable. There is a need to embed performance management into the organisational culture.	Emphasis on wrong aspect of service delivery.	Clarify the meaning of the word sustainable in this instance. Improving ownership of the performance management agenda.	2	John Bentley	01/01/2005
3) Whilst some local performance indicators have been developed more are required to assist the measurement of performance in many of the service areas.	Inaccurate and incomplete measurement of performance.	Develop additional local performance indicators.	2	John Bentley	01/01/2005
4) No evidence that resources were allocated according to priorities in the 2003/04 budget. The budget process for 2004/05 has been more closely linked to the service planning framework.	Significant risks may not be appropriately mitigated	Use risk management framework as one of the mechanisms for prioritisation and resource allocation.	2	Paul Wilkinson	11/10/2004
5) In view of the number of Partnerships that the Council has there is a need for a framework to be developed to ensure a corporate approach is maintained.	Inconsistent agreements with different partners may reduce their effectiveness.	Develop a partnership framework.	2	John Lawson	01/01/2005
6) The Constitution is a continuous scroll on the intranet, which makes it a very slow process to find information.	Time wasting and poor public perception. Due to navigational difficulties staff may not be aware of the requirements of the Constitution.	The Constitution on the intranet should include page numbers and an index to assist navigation.	3	John Lawson	01/01/2005
7) The Members’ Allowance Scheme is now reviewed by the Independent Remuneration Panel and not the Chief Financial Officer as stated in the Constitution. The new decision making structure is not reflected in the Scheme.	Constitution and Members’ Allowance Scheme not in line with current practices.	Update the Constitution to reflect the new process for reviewing the Members Allowance Scheme. Update the Members’ Allowance Scheme in line with the new council structure.	3	John Lawson	01/01/2005
8) Whilst there is an Anti Fraud and Corruption Policy and Strategy in place it has not been reviewed recently.	Inconsistencies between the Policy and Strategy and current practices.	Review the Anti Fraud & Corruption Policy and Strategy.	2	Ged Richardson	01/01/2005
9) A number of Service Units did not have a Gifts & Hospitality register and generally the process of reviewing those existing registers was inconsistent.	Failure to comply with the relevant legislation.	Set up a Gifts & Hospitality Register for each Service Unit. Head of Service to review registers every quarter. Director to review Heads of Service registers. Chief Executive to review Directors registers. Monitoring Officer to review Chief Executives register. Amend relevant sections of Constitution and Codes of Conduct for Officers.	1	S.M.T.	01/11/2004
10) A number of Service Units were unaware that all members of staff were required to complete a Declaration of Interests form.	Failure to comply with the relevant legislation.	Service Heads to ensure current staff complete a form of declaration. All new members of staff to complete a form at the same time as signing their contract of employment.	1	S.M.T.	01/11/2004

Priority Rating :- 1 – Serious control weakness requiring immediate action. 2 - Control weakness requiring action within follow up period.

3 – Low priority control weakness requiring action within timescale determined by management.

AUDIT SERVICES REPORT

RISK MANAGEMENT

August 2004

Overall Objective

To assess the level to which Risk Management has been embedded within the Isle of Wight Council and to form a view on the adequacy and effectiveness of the strategy, framework and process for managing risk within the Authority.

Corporate requirements for Risk Management in the Isle of Wight Council?

The Corporate Plan 2002 –2005 : Excellence in Service Delivery:

“To improve our risk management & financial control procedures we will develop and implement a Risk Management Strategy for the Council.

The CPA Improvement Plan 2003: In response to the District Audit letter the Council will take the following actions to improve Risk Management:

· Review and restructure strategic and operational risk groups

· Set up a new computerised Risk register

· Embed Risk Management into service planning

· Provide Risk Management training for key members and senior officers.

· Cascade risk management training down through the council

The Annual Action statement 2003/04:- Strategically driven service delivery-

“Deliver the Risk Management Strategy “ (CPA Action)

The Annual Action Statement 2004/05:- Leadership priorities 2004/05-

“Risk Management – attention will focus on roll out of Risk Management to service level – Comprehensive Service Risk Register in place by Dec 04”

The Role of Internal Audit in Risk Management

The role of Internal Audit in an organisation is to review the policies and processes in place to assess their effectiveness. Risk Management is no different to any other process. However, Internal Audit and Risk Management have common aims: the mitigation and control of risk. An assessment of the adequacy and effectiveness of the Authority’s Risk Management process provides a means for Internal Audit to contribute to the organisations Risk Management programme.

In addition the progress in complying with the requirements of the CPA Improvement Plan , Corporate Plan and Annual Action Statement will be measured and reported on.

Individual Objectives

To enable an overall opinion to be formed on the level to which Risk Management has been embedded within the Isle of Wight Council an audit programme was developed that identified a number of key objectives that have to be individually satisfied in order to achieve compliance with the Authority’s aim.

The strategic goals of the organisations are defined in objectives that meet the SMART criteria and recognise risk as an opportunity
There is a corporate policy on risk management, formally adopted by the authority and promoted by the Council’s senior management including members
Corporate risks are identified and recorded effectively
Business and service plans are developed with the need to manage risks of all kinds in mind
Procedures are in place to ensure the identification of risks provides a complete picture and does not solely consider financial risks
Procedures are in place to measure the impact / likelihood of a risk occurring
Procedures are in place so that decisions on acceptance of risks are properly taken
Once a risk has been identified both the risk and the mitigation strategy are allocated owners who are responsible for monitoring the performance of the risk and acting upon findings
Advice on the treatment of risk/loss is provided centrally to all levels in the organisation to provide a consistent approach to the treatment of risk
Realistic/ appropriate timetables are established for the implementation of risk mitigation strategies with established procedures for obtaining additional funding where required
Proposals for the treatment of risk are identified, documented and presented to decision makers
Procedures are in place for evaluation of the effectiveness of risk treatment / control measures
Procedures are in place to monitor the behaviour of risks and the effectiveness of risk mitigation strategies adopted through the use of performance indicators
There is evidence that risk registers are regularly reviewed and updated
Training / guidance on risk issues is provided to meet assessed needs
There are appropriate forums for considering risk, including Terms of reference, accountabilities, reporting framework and support
There is awareness amongst Service Managers and Team Leaders of risk management principles.

Interviews were held with Heads of Service, the Compliance and Risk Manager and officers of the Insurance and Risk section and documentary evidence obtained to enable an opinion to be formed.

Appendix A shows the findings from the above and makes recommendations for improvement.

Risk Maturity Model

To enable Internal Audit to form a view on the effectiveness of the Risk Management Strategy an audit programme was developed that will assess the level of integration of Risk Management through five levels:-

1. Awareness and understanding

2. Implementation planned and in progress

3. Implementation in all key areas

4. Embedded and improving

5. Excellent capability established

It is expected that Risk Management will be cascaded down through the Authority and therefore different levels of integration should be found throughout the Authority at any one moment in time. To assess the level of integration the following key areas have been examined

1. Leadership: Do senior managers and members support and promote risk management

2. Risk Strategy and Policies: Is there a clear risk strategy and are there risk policies

3. People: Are people equipped and supported to manage risk well

4. Partnerships and resources: Are there effective arrangements for managing risks with partners and are there appropriate supporting resources.

5. Processes: Do the organisation’s processes incorporate effective risk management.

6. Risk handling: Are risks handled well.

7. Outcomes : Does risk management contribute to achieving outcomes.

The Risk Maturity model used was originally developed by HM Treasury for central government and therefore was deemed to be an appropriate choice for use in a Local Authority environment

It is anticipated that the level of compliance will vary at any one time throughout the authority therefore findings will reflect the overall picture unless there are a significant variations between areas and levels.

Appendix B shows the position for 2003-04 and the anticipated level for 2004-05 based upon actions in progress.

Conclusion

The Isle of Wight Council has progressed well from a zero starting point in 2003-03 in its aim to embed risk management into the processes and policies of the organisation. However, the organisation needs to drive the process of maturing risk management to consistently build on the work of the last eighteen months. The recommendations made in Appendix A if implemented will assist the aims of the CPA improvement plan.

From the Risk Maturity model in Appendix B one main area of concern is the lack of risk management within partnership working. It is recommended therefore that the first target for addressing this issue is a Risk Workshop and the creation of a risk register for the Local Strategic Partnership.

Alison Bean

Audit Services

August 2004

ACTION PLAN

Objective	Findings	2003/04	2004/05 +	Recommendations	Action by	Target date
1.The strategic goals of the organisation are defined in objectives that meet the SMART criteria	The IW Council has on overall mission – “to improve Island life” . Achievement of this mission is through 6 strategic aims, which are in turn split into key objectives. The Annual Action Statement identifies the tasks to be completed within the year to achieve these objectives.	Whilst the mission and strategic aims are not SMART the key objectives and actions identified within the Annual Action Statement help to define specific actions, and timescales for achieving those actions, that work towards the achievement of objectives.	The Annual Action Statement for 2004/05 was presented to the Executive on the 16^th June 2004 where it was adopted.	Consideration is being given to refreshing the strategic aims to identify whether they are still relevant. It may be useful to complete this exercise post May 2005 following the Council election. The authority has a multitude of plans (corporate plan, CPA Improvement plan etc) developed in some cases independently of each other. To assist officers to understand how they can contribute to each plan and how the plans relate to each other the intranet site should have a simple one page diagram of how each plan “fits together” and its aims.	Head of Policy & Communications Head of Policy & Communications	31.12.2005 31.12.2004
2.There is a corporate policy on Risk Management, formally adopted by the authority and promoted by the Council’s senior management including members	The Risk Management Framework for the Council “ Risk Management at the Isle of Wight Council” was approved by the Strategic Risk Group in March 2004. It has been posted on the Insurance and Risk Management Section Intranet page. A member champion for Risk Management has been identified. The strategy includes terms of reference for the Risk Management group and the Strategic Risk group, and roles and responsibilities for each group and individual officers .	Strategy adopted March 2004	The majority of the actions identified within the Risk Management policy are aimed to be implemented within 2004/05	The framework identifies within the body of the text the actions to be taken across the authority to imbed Risk Management. Appendix G identifies the annual timetable that provides a plan of when actions should be taken but it is recommended that this is amended to include who is responsible for ensuring actions are taken and the review and response mechanism for confirming the timetable has been adhered to and a performance measurement system implemented	Chief Financial Officer	.31.12.2004
3.Corporate risks are identified and recorded effectively	A corporate risk register is held on the Risk 2003 database held by the Insurance and Risk Management section.	Completed	Corporate risks emerging as part of service planning will be passed to the S Risk Management Group in October
4.Business and service plans are developed with the need to manage risks of all kinds in mind	Service planning from the summer of 2004 will include the requirement for each Head of Service to provide a service risk register and link the risks to service planning	N/a	Service planning to include service Risk Registers	The process for risk identification at service level is well documented within the Risk Management Strategy. It is recommended that a similar timetable and list of responsibilities is developed for the identification, classification and recording of risks by Directors and Members	Chief Financial Officer	31.12.2004
5.Procedures are in place to ensure the identification of risks provides a complete picture and does not solely consider financial risks	Service planning guidance issued to all heads of service defines risk as “a threat that an event or action will adversely affect an organisations ability to achieve its objectives and successfully execute its policies”	Guidance provided		It is recommended that the service and corporate risk registers are monitored to ensure that all risks are considered and that there is not an over emphasis on financial risks	Chief Financial Officer	.Ongoing
6.Procedures are in place to measure the impact /likelihood of risks occurring	The Service risk register guidance produced for 2004/05 includes a matrix that “scores” risks on a scale of remote, unlikely, likely and very likely for probability and low, medium, high and major for impact.	Used in the creation of the corporate and strategic registers and at workshops held by Insurance & Risk and the Audit Section	Used for service risk planning for 2004/05
7.Procedures are in place so that decisions as to whether or not to accept risks are properly taken	Appendix G of the Risk Management Framework – Roles and Responsibilities – identifies the Head of Service as responsible for managing service risks whilst the Director is responsible for managing strategic risks.	N/a	From 2004/05	Risk acceptance or treatment is the responsibility of management. Quality assurance of the Risk Management process is allocated to the Risk Management group. It is therefore recommended that they monitor the number of risks where no action is taken and provide guidance as required for appropriate risk mitigation strategies.	Chief Financial Officer	Ongoing
8.Once a risk has been identified both the risk and the mitigation strategy are allocated owners who are responsible for monitoring the performance of the risk and acting upon findings	The Risk Management Framework identifies the Strategic Risk group as responsible for performance monitoring of strategic risks and the Risk Management group for Corporate risks. Heads of Service are responsible for risks within the service risk register	Not in place for 2003-04	From 2004 -05	The owners and responsibilities for corporate and strategic risks are identified within the Risk Management Framework. It is recommended that for service risks the performance of quality assurance processes in respect of Risk Management records and systems as allocated to the Risk Management group is better defined to include guidance on how and when the risk management process at service level is measured. Greater clarity is required for the role of the Audit Panel.	Chief Financial Officer	31.03.2005
9.Advice on the treatment of risk / loss is provided centrally to all levels in the organisation to provide a consistent approach to the treatment of risk	Risk treatment is less well defined and responsibility for risk treatment action plans lies with the risk owner. The Insurance and Risk Section are able to provide advice on the treatment of risk but their role should be more clearly defined and training provided where necessary.	Not in place 2003-04		It is recommended that whilst responsibility for risk treatment remains with management, more central support is available for guidance on risk treatment	Chief Financial Officer	. ongoing
10.Realistic / appropriate timetables are established for the implementation of risk mitigation strategies with established procedures for obtaining additional funding where required	As risk management is only being implemented at service level in the current round of service planning it is too early to state whether timescales are achievable or appropriate. It is anticipated that major risks will be identified within service planning and funding requested as required	Not in place for 2003-04	Service planning during the summer of 2004 should identify key risks and applications for funding made as appropriate.	It is recommended that guidance is issued to ensure that the distinction between growth bids and risk bids is clear and in the case of risk bids the appropriate method is used.	Chief Financial Officer	31 12 2004
11.Proposals for the treatment of risk are identified, documented and presented to decision makers	Proposals for the treatment of risk are identified for risks on the corporate and strategic risk registers, with control measures allocated a status (proposed, approved, in progress, implemented and withdrawn) As service risk register are in the majority incomplete, or non existent then risk treatment is yet to be considered.	Satisfactory system for identifying and documenting treatment for corporate and strategic risk	It is anticipated that service risks will document risk mitigation in a similar method as employed for strategic and corporate risks.
12.Procedures are in place for evaluation of the effectiveness of risk treatment / control procedures	Limited performance management has been carried out on strategic and corporate risk treatment procedures and none for service risks.	Limited review of risk treatment performance has been carried out	Proposals for performance management of risk treatment plans have been discussed at risk management forums in June / July 2004	It was stated at the Risk Management group in June 2004 that “risk owners need simply to update the group at each meeting to inform them as to how a risk is behaving” and performance management of service risks is not in the terms of reference of the Risk Management group. It is recommended that if this is to remain the position of the group then they should ensure that sufficient knowledge and expertise of risk management is available at service level and it will be necessary to provide additional support to service risk owners whilst the authority is maturing its risk management processes.	Chief Financial Officer	31.3.2005
13.Procedures are in place to monitor the behaviour of risks and the effectiveness of risk mitigation strategies adopted through the use of performance indicators	There is very little evidence that the authority has progressed to the point that risk mitigation strategies can be measured through the use of performance indicators	None for 2003-04		The Risk Management strategy states that risks will be “performance managed in an appropriate way”. Expansion on this statement needs to be considered by the Risk Management group and guidance and training as required at all levels of the authority is considered. Consideration should be given to developing the use of the P.I facility within the Risk 2003 database.	Chief Financial Officer	31.3.2005
14.There is evidence that risk registers are regularly reviewed and updated	There is evidence that the corporate and strategic risk register have been reviewed during 2003-04	Evidence for corporate and strategic risks for 2003-04	The Risk management strategy states the updating the service risk registers will be the responsibility of service heads. However service heads will be required to update the Risk Management group quarterly on the status of control measures used to mitigate risks	The Risk management group will need to monitor the quarterly response from service heads to ensure the registers are being regularly reviewed and updated.	Chief Financial Officer	Ongoing
15.Training / guidance on risk issues is provided to meet assessed needs	The Risk Management group will act as a forum for raising awareness across the authority.	The terms of reference for the Risk forums were not in place until March 2004 however facilitated risk workshops held with directors groups and service heads during the year	Guidance provided for service risk registers for summer 2004. Facilitated Risk workshops held with Directors groups and Heads of service	Recommended that information is obtained from across the authority on the level and nature of training required on risk management issues and an appropriate training plan devised	Chief Financial Officer	. 31.3.2005
16.There are appropriate forums for considering risk, including Terms of reference, accountabilities, reporting framework and support	The Strategic Risk Group and Risk Management group have Terms if reference, roles and responsibilities have been defined within the Risk Management Framework.	Not formally in place until end of 2003/04 although groups have been meeting throughout the year.	In place for 2004/05	Recommended that the terms of reference are reviewed later in 2004/05 to identify compliance with and adjustments that may be necessary to constitution of risk forums. Terms of reference should be devised for the Audit Panel to clarify their role within Risk Management	Chief Financial Officer	31.3.2005
17.There is awareness amongst Service Managers and Team Leaders of risk management principles	Risk Management is being cascaded down through the authority. Several service managers have risk registers already in place although for the majority this is a fairly new area. Internal Audit are carrying out a number of risk based audits during the next three years that have a completed risk register as one output.	Approximately 45 percent of team leaders and service managers have knowledge of risk management.	More workshops are planned with service managers throughout 2004-05. These will be facilitated by both Internal Audit and Insurance and Risk sections.	There are very limited resources within the two sections to actively introduce risk management at lower levels of the authority. Consideration should be given within service planning and resource allocation to increase the resources that can be committed to embedding risk management within the authority	Chief Financial Officer	. 31.3.2005

Risk maturity Framework Isle of Wight Council

	Level 1 Awareness & understanding	Level 2 Implementation planned and in progress	Level 3 Implementation on all key areas	Level 4 Embedded and improving	Level 5 Excellent capability established
Leadership: do senior management and members support and promote risk management	Top management are aware of need to manage uncertainty & risk and have made resources available to improve	Senior Managers & members take the lead to ensure that approaches are being developed and implemented	Senior managers act as role models to apply risk management consistently and thoroughly across the organisation	Top down commitment with embedding and integrating risk management as routine business practice	Senior managers reinforce and sustain risk capability, organisational and business resilience and commitment to excellence. Leaders invited to speak at conferences about their success
Risk Strategy & policies: is there a clear risk strategy and risk policies	Policies and strategies reviewed against risk principles	Risk management principles are reflected in the organisation’s policies & strategies & communicated effectively	Risk policies and strategies are communicated effectively and made to work through a framework of processes	Risk handling is an inherent feature of all policies and strategy making processes	Risk management capability in policy & strategy making is reviewed and improved. Role model status
People: Are people equipped and supported to manage risk well	Key people are aware of the need to assess and manage risks and they understand risk concepts and principles	Suitable guidance is available and a training programme has been implemented to develop risk capability	A core group of people have the skills and knowledge to manage risk effectively	People are encouraged and supported to be more innovative . regular training is available for people to enhance their risk skills	All staff are risk aware and capable of using basic risk skills . tools and techniques
Partnerships & Resources: Are there effective arrangements for managing risks with partners and are there appropriate supporting resources	Key people are aware of areas of potential risk with partnerships, suppliers and management of significant resources and understand the need to agree approaches to manage these risks	Approaches for addressing risk with partners and when managing assets and financial and other resources are being developed and implemented	Risk with partners is managed consistently for all key areas and across organisational boundaries	Sound governance arrangements established partners & suppliers selected on basis of risk capability & compatibility	Information integrity and asset security are assured. Financial and other resources effectively managed. Organisation regarded as a role model
Processes: Do the organisation’s processes incorporate effective risk management	Some stand alone risk processes have been identified	Recommended risk management processes are being developed	Risk management processes implemented in key areas. Risk capability self assessment tools used in some areas	Risk metrics are collected. Risk management standards applied in some areas	Management of risk & uncertainty is well integrated with all business processes. State of the art tools & methods are used. Selected as a benchmark site by other organisations
Risk Handling: Are risks handled well	No clear evidence that risk management is being effective	Limited evidence that risk management is being effective in all relevant areas	Clear evidence that risk management is being effective in all relevant areas	Very clear evidence that risk management is being very effective in all areas	Excellent evidence that risk management is being highly effective in all areas and improvement is being pursued
Outcomes: Does risk management contribute to achieving outcomes.	No clear evidence of improved outcomes	Limited evidence of improved outcome performance consistent with improved risk management	Clear evidence of significant improvements in outcome performance demonstrated by measures including, where relevant, stakeholders perceptions	Very clear evidence of very significant improved performance for all relevant outcomes and showing positive and sustained improvement	Excellent evidence of markedly improved outcome performance which compares favourable with other organisations employing best practice

Key

In place 2003/04

In progress for 2004/05

Limited compliance

2003-04

INTERNAL AUDIT PROGRESS REPORT

PURPOSE